Legislation that protects against cybercrime can in some instances threaten freedom of expression

In Kenya, portions of the Computer Misuse and Cybercrimes Act of 2017 were temporarily suspended in May by the country’s High Court. Bloggers had argued that the cybercrime legislation was an attempt to reintroduce laws previously used to clamp down on freedom of expression. Last year, these criminal libel provisions, contained in the Defamation Act, were declared unconstitutional by the court.

In SA, the Cybercrimes and Cybersecurity Bill seeks to regulate not just crime but all social media. It criminalises ‘fake news’ – defined as sending messages ‘inherently false in nature’ – while leaving it up to the government (and probably the State Security Minister) to decide what content fails to pass the test. The bill spawned a public rejection under the hashtag #HandsOffSocialMedia.

In Nigeria, the Cybercrimes Act of 2015 has been used to detain dissenting journalists. Section 24 of the act deems it an offence to send any content that is ‘offensive…or menacing in character’. Similar to clauses in the original Kenyan and SA legislation, this makes it a crime to respond to a public political figure (for example Donald Trump) by suggesting on Twitter that he ‘go boil his head’ or ‘just shoot himself’. While the remark is obviously not meant to be taken literally (and is instead a figure of speech expressing extreme exas-peration), in the hands of a repressive politician, it could be misused to silence voices attempting to articulate political opposition or point out instances of maladministration.

The problem with much of the cybercrime legislation is that it goes too far and attempts to do too much. Often, other legal tools also exist to deal with cyber offences. In SA, genuine cyberbullying can be dealt with under the Protection from Harassment Act of 2011, which allows individuals to obtain a protection order against their harasser. If it is breached in any way, including electronically, the continued harassment is considered a criminal offence.

Cybercrime, of course, is a growing problem. A joint publication from software security giant McAfee, in partnership with the Centre for Strategic and International Studies, suggests that the phenomenon stole as much as $600 billion from the global economy in 2017, up from $445 billion in 2014. The report provides some startling details. It estimates that two-thirds of people online – more than 2 billion individuals – have had their personal information stolen or compromised.

While cybercrime is international, the responses are national. No matter how improved or state-of-the-art national laws may be, they’re unlikely to be effective against someone clicking a mouse in a country on the other side of the world. There are international agreements on cybercrime co-operation, such as the Council of Europe’s Convention on Cybercrime – but these are little more than gestures. Effective policing requires a specialised agency with specialised skills, fast response times and a mandate to track and apprehend suspects. So far there is no such agency, and no legal basis for establishing one.

Committing cybercrime is low risk and lucrative. In 2016, an attempted hit on a Bangladeshi bank in 2016 came close to netting nearly $1 billion (although in the end, the hackers got away with ‘just’ $81 million). Bangladesh is a good example because it illustrates which nations are most vulnerable – middle-income countries, where institutions have something worth stealing combined with lower levels of security than the developed world. Countries such as SA, Kenya and Nigeria fall into this zone.

Solutions are not easy to come by and none are likely to be permanent, given the rapidly changing nature of the technology. One thing, however, is certain… Compromising freedom of expression is not going to help.